Bug#28558 UpdateXML called with garbage crashes server

Problem: Memory overrun happened in attempts to generate
error messages (e.g. in case of incorrect XPath syntax).
Reason: set_if_bigger() was used instead of set_if_smaller().
Change: replacing wrong set_if_bigger() to set_if_smaller(),
and making minor additional code clean-ups.


mysql-test/r/xml.result:
  Adding test cases for all pieces of code with
  set_if_smaller() followed by my_printf_error().
mysql-test/t/xml.test:
  Adding test cases for all pieces of code with
  set_if_smaller() followed by my_printf_error().
sql/item_xmlfunc.cc:
  - fixing incorrect set_if_bigger to set_if_smaller in two places
  - getting read of unnesessary "char context[32]" variable and
    using '%.*s' instead if '%s' in the error format.

1 files changed, 5 insertions, 7 deletions

diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc
index 147c2bc8212..428bffa6879 100644
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@@ -923,8 +923,8 @@ static Item *create_comparator(MY_XPATH *xpath,
   else if (a->type() == Item::XPATH_NODESET &&
            b->type() == Item::XPATH_NODESET)
   {
-    uint len= context->end - context->beg;
-    set_if_bigger(len, 32);
+    uint len= xpath->query.end - context->beg;
+    set_if_smaller(len, 32);
     my_printf_error(ER_UNKNOWN_ERROR,
                     "XPATH error: "
                     "comparison of two nodesets is not supported: '%.*s'",
@@ -2591,12 +2591,10 @@ void Item_xml_str_func::fix_length_and_dec()
 
   if (!rc)
   {
-    char context[32];
     uint clen= xpath.query.end - xpath.lasttok.beg;
-    set_if_bigger(clen, sizeof(context) - 1);
-    strmake(context, xpath.lasttok.beg, clen);
-    my_printf_error(ER_UNKNOWN_ERROR, "XPATH syntax error: '%s'", 
-                    MYF(0), context);
+    set_if_smaller(clen, 32);
+    my_printf_error(ER_UNKNOWN_ERROR, "XPATH syntax error: '%.*s'",
+                    MYF(0), clen, xpath.lasttok.beg);
     return;
   }